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Whats this? 


The man page for tcpdump starts like this: 


NAME 
tcpdump - dump traffic on a network 


SYNOPSIS 











tcpdump -AbdDefhHIJKLLnNOpqStuUvxxX# | | -B buffer size | 
-c count ] 
-C file size ] [ -G rotate seconds ] [ -F file ] 
-i interface ] | -j tstamp type | | -m module ] | -M secret | 
--number ] | -Q injout]inout | 





-W filecount ] 
-E spi@ipaddr algo:secret,... |] 


-y datalinktype ] [ -z postrotate-command ] [ -Z user ] 
--time-stamp-precision=tstamp precision | 
--immediate-mode ] | --version |] 


[ 
[ 
[ 
| 
[ -r file ] [ -V file ] [ -s snaplen ] [ -T type ] [ -w file ] 
[ 
[ 
[ 
[ 
[ 
[ 


expression | 






that is So Many 
options omo 


it's ok Y yau 
only need tc 





Know like 3V 












Tim going to tell you 
why 1 9 tcp dump and 
how to get started V 





Tuua Evans 
@bOrk 
http: /ivns.ca 

; j 


my blog | 


in uc network 


Ñ 
Š 


look up a 
Onun, Ur ports domain 


See if a port on 
nother server 
G IS Open 


Network manager, 


GUI tool to configure 
+he network On your 


what Ports 
are being used? 


Š 
Ü 


cant Forget Contig ure socke+ 


this one J 
ne Ú bu flor Sizes, and mare! 






nethogs /ab/nload 


iO traf / net pect/ipert 
iftop/ ne sniff -ng 


lots of performan ce / 
benchmackin tool s 










lapt 

Pr (they all do different things) 
Ping, but it Set LP a like netcat, 
uses TCP VPN Y but more 


Feature ful 











thanks so much 


now that T 
foc reading V 


understand the 
basics, the man 
Pago isn't so badi 
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Questions YOU can answer 
with tcpdomp 


— what DNS queries is my laptop sending? 
“tepdump -i any port 53” 
> T have A Server Cunning an port 1337. 
Are any acKets Arriving at that port 
oT ALL??? 
i tcpdump -t any poct 1337" 


> What packets are coming (ato muy server 
from TP 1.2.3.9? 


s tcpdump port 1337 and host 1.2.3.4" 


-~ show me all DNS queries that fail 


l Ecpdump Udp 1113 Oxf =-= 
(complicated but it works 1) 
— how long ace the TCP connections 
on this box lasting right now? 
“tcp clump -W packets. pcap á 
and analyze packets.peap in Wireshark 


and 


here are a few more qood Ones: 


| This prints out the packet's contents | 
For example, SUPPOSE T have a 


| 
| webserver on port 7777. 
( 


Sud, 


$ sudo tcpdump -A dest port 7777 


will show me all the HTTP requests 
being Sent to that server. Only works 
for HTTP, not HTTES. 


(I like nareg more than tcpdump -A for 
looking at HTTP request bodies though & 


By default, tcpdump will translate 
TP addresses to hostnames. 2213 


forces it to just always print out 
the IP address 


om em en aa = = 


Includes Ethernet information! Thes 


e | shows you the MAC address that 
Terr ; the packet came Fram 
iS for 
ethernet 
Example: Sudo tcpdump -@ -¢ any 
port 443 
y 7%, ' makes sure you only get Packets 


that are to or from your computer 
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BPE Filters | 


tcpdump USeS A Small language 
Called BPF to let you Filter packets. 


When you run $ sudo tcpdump port S 
“Port 53 is a BPE Filter. Here's a quick guidel 


Src port $0 


dest port 80 
tcp port 80 


are what the y 

look like y 
src host 1-2-3-5 
dest host 1.2.3.4 


> port S3 


checks ¡5 the source port OR 
the dest port is S3. Matches 
TCP poct S3 and UDP poct S3. 


> host 192.168.3.2 


checks if the source or 
dest IP is 192.168.3.2 


+ Udp 0143 Oxf ==3 


You can do bit math like 
this on packet Content - 


This checks for the ONS 
response code ‘NX DOMAIN “Y 


(1 googled +o Lind this 
and it works | <U 


> host 11.22.33.49 
and port KO 


VOU Can use and”, 
‘or’ , and not ' 


Y Wireshark (7 


T want to Know 
more aboot 

what's ¿n my 
packets Y 









Wireshark IS an incredibly, 
powerful packeT analysis tool V 





tuhat protocols 
do yov understand , 
Wireshark? 






HTTP! Tce! 


MSN‘ AIM! AOL! 
Ethernek ! Bluetooth L 
Alot, okay? 


/\ 


Thing s Wireshark has: 





* nice graphical interface | * search through 
A it CaN connect TCP your packets 


packets from the same easily Y 
connection Y 


If you want to analyze packets From tcpdump with 
Wice shark, you CAA either : 
O Save A .pcap file and open it with Wireshark 
@) Use this incantation to pipe tcp dump out put 
into Wireshark | 


ssh some.remote.host tcpdump -pni any -w - -sO -U port 8888 
| wireshark -k -i - 


